Re: CASSANDRA-18554 - mTLS based client and internode authenticators

[Dinesh Joshi]

folks - I think we’ve achieved lazy consensus here. Please continue with feedback on the jira. Thanks, Dinesh On Jul 7, 2023, at 12:23 PM, Jyothsna Konisa <jyothsna1...@gmail.com> wrote:  Hi Yuki, Jeremiah & Christopher, Thank you very much for the feedback. Regarding removing superuser check for adding/removing identities, I have relaxed that check and added permissions check instead. With this change only users with appropriate permissions to add/drop identities can perform that action. About extending `Create Role` cqlsh statement, we have a couple of reasons for not doing that. We designed the mTLS authenticator in such a way that a single role can be associated with multiple identities, EX: there can be several identities which are read_only users. Also, having a separate cqlsh statement for identities makes it more pluggable and independent. If we still think that extending the create role statement would be a convenient feature, we can add it as required in the followup patches. Christopher, I will be acting upon your feedback regarding having identity in the cassandra.yaml optionally configurable. Thanks, Jyothsna Konisa. On Thu, Jul 6, 2023 at 5:30 PM Dinesh Joshi <djo...@apache.org> wrote: > On Jun 30, 2023, at 1:09 PM, Jeremiah Jordan <jerem...@datastax.com> wrote: > > I don’t think users necessarily need to be able to update their own identities.  I just don’t want to have to use the super user role.  The super user role has all power over all things in the data base.  I don’t want to have to give that much power to the person who manages identities, I just want to give them the power to manage identities. Makes sense. I think Jyothsna already pushed an update to the PR to relax the restriction. Please feel free to take a look at it. Dinesh